Solved

I found a file that is some sort of virus that I can't remove

Posted on 2004-04-22
24
170 Views
Last Modified: 2013-12-04
I am dealing with a dll file called ndhygv.dll on a windows xp home edition PC.  I can't remove the dll.

I found it in the registry, delete the key and it puts it back by itself.

I delete it from startup using msconfig and close and don't reboot to get out of msconfig.  Then I run msconfig again and look at startup.  It is there again.  The virus? is putting it back in for me.  In safe mode, I can't delete the file either.

Any ideas.  <removed by modulo>

I would greatly appreciate any assistance.

Tim Chapman
0
Comment
Question by:TimChapman
  • 11
  • 5
  • 3
  • +2
24 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 500 total points
Comment Utility
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
TimChapman,
> I delete it from startup using msconfig

Did you mean disable it ?  

go to startup tab in msconfig and disable all applications. reboot the machine and check if it would appear. If it doesnot appear then enable the applications one by one and check which application might cause that ..

#Sun
0
 

Author Comment

by:TimChapman
Comment Utility
I did go to the startup tab and disable each application other than the norton applications.  I also tried unchecking the button that says Load Startup Items.  I would then exit msconfig without rebooting.  I would then immediately open it again.  The Load Startup Items button would be checked and the item would be checked in the Startup list.  The virus? is doing this itself.  Same when I would remove it from the registry.  It would put itself back.  This is a very difficult problem to solve because Safe mode did not help either.  Same results there.  It loads in safe mode.
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
TimChapman,
>  I would then exit msconfig without rebooting.  

As I had previously said , after doing that in msconfig reboot the machine and see what happens.

have you used the spyware removal tools and checked for virus ?

Post back doing all these
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
TimChapman,

Also try this

First make a backup of your registry

then go to registry and search for that name that you see in that folder in desktop
if you are not familiar with it , delete it

For searching first press ctrl + F. after it reports the first search , press F3 and search again and keep doing until you find all references to it

Post back
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;322756
0
 

Author Comment

by:TimChapman
Comment Utility
After disabling all applications in MSconfig and rebooting, I ran msconfig again.  The entry was still there and the startup items were enabled.  Having disabled them before shutdown, it seems that the virus? is reenabling the startup items.

> in that folder in desktop

What folder are you referring to?
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
oh i meant this ndhygv.dll

search for this name in registry and remove it if you are not sure what is it ..
i donot see any reference to this dll in google so you can remove it

msconfig checks these in registry


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

go to registry , check these and remove anything that you are not sure of
0
 

Author Comment

by:TimChapman
Comment Utility
I removed all entries with ndhygv.dll.  Before I could even close regedit, they were back again.  This is very insidious.   The run and runonce keys, I checked and deleted all I did not recognize, but it did no good as these entries would return by themselves.  There is not point in deleting more entries as the changes won't take effect until I reboot and the dll is run again.  The needs tougher measures and I don't know where to begin.
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
Also try doing these

a) remove temporary internet files , cookies and history going to Internet explorer ---> tools ---> Internet options

b) goto start --> run --> %temp%
remove all the files there . DONOT REMOVE THE TEMP FOLDER.just remove the files inside

c) Also do disk cleanup
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
TimChapman,

have you tried all the spyware tools and virus yet ? try them and post back..

check your control panel --> add/remove programs of any unknown program. If you have uninstall them

Also use these registry cleaners

jv16 http://download.com.com/3000-2094-10196668.html?tag=lst-0-1 (FREEWARE)
RegCleaner http://www.vtoy.fi/jv16/shtml/regcleaner.shtml
AATools RegClean http://www.glocksoft.com/aatools_registry_cleaner.htm
Registry Medic  http://www.iomatic.com/products/product.asp?ProductID=registrymedic
RegVac  http://regvac.com/fregvac.htm#download
0
 

Author Comment

by:TimChapman
Comment Utility
I tried deleting temporary internet files.  Some won't delete.

I did not run %temp%.   Please tell me what that should do.  I have never seen that before.

The computer hangs when I try to do a disk cleanup.
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
TimChapman,
> I tried deleting temporary internet files.  Some won't delete.

what do you mean by this ?

go to start --> run and typein " %temp% "  (without quotes)
it will open the temporary folder where all temp files are stored in your machine
remove all those files ..


Not sure why diskcleanup would hang your machine.. Wait for sometime when you do diskcleanup as there would be many unwanted files to cleanup

restart the machine after doing all these
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
what is the status ?

have you tried all spyware tools , virus scanners etc

remove all those temp files ..

post back
0
 

Author Comment

by:TimChapman
Comment Utility
I have to wait to do those.  The computer is at a client's location.  He may not want to pay me the hours needed to continue.  I emailed him to ask him to let me have the computer at my site so I can work on it without charging him.  I would like to get to the bottom of this virus (?).  I was very suprised to find nothing about it when I searched google.  Looks like something new.  

I don't understand the Experts Exchange regarding the Accept button.  When I accept a reply, does that mean the sender gets the 500 points?

Thanks for your effort on this.  I will try to see this to completion so the points can be given and so that the problem can be solved and the information shared.

Tim
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
looks like it is a new virus or trojan or spyware

This is how it works

u assign 500 pts or how  much ever you can depending on the question
once u click accept , u will be taken to a page where u need to give the grade.
depending on the grade, the expert wud get pts

say if you give A grade, expert would get 500 * 4 = 2k pts
if B grade , 500 * 3
if C grade , 500 * 2

Hope you understand
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
This is how to find ndhygv.dll and stop it.

1. Start / Run / regedit
2. ENTER
3. CTRL-B
4. ndhygv.dll
5. ENTER
6. If you find it in HKCR/CLSID/{xxxx-xxxx-xxxx}/InprocServer32 then identify all the {yyyy-yyyy-yyyy} in the regkey like HKCR/CLSID/{xxxx-xxxx-xxxx}/Implemented Categories/{yyyy-yyyy-yyyy}
7. If you can find the same {yyyy-yyyy-yyyy} in HKLM/Software/Microsoft/Internet Explorer/ActiveX Compatibility/ then set a kill bit according to:

How to Stop an ActiveX Control from Running in Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;240797&sd=tech
0
 
LVL 5

Expert Comment

by:barcelona_blom
Comment Utility
Tim Chapman

Use this command to unregister the dll file then delete it,
Change the path to wherever the dll resides.

RegSvr.Exe /u \windows\[controlname]       click start then run and enter the command.

Then delete the registry entries for the file.

0
 
LVL 8

Expert Comment

by:nader alkahtani
Comment Utility
regsvr32 /u %systemroot%\system32\ndhygv.dll

ENTER

regsvr32 /u %systemroot%\system\ndhygv.dll

ENTER

good luck
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now